Thilo Planz [TP], on Friday, January 28, 2005 at 18:31 (+0900) wrote
these comments:
TP> sub image_exist{
TP> my ($id, $date) = @_;
TP> my ($count) = $mydbh->selectrow_array (
TP> ' select count(*) from pic where id = ? ',
TP> {}, # no attributes
TP> $id
TP> );
TP> print $count ? "$id exist\n" : "$id not exist\n";
TP> }
yes, this is nice, and I understand this, I don't need to call
finish(), because it always get me 1 line. Nice. Also I can use:
' select count(*) from pic where id = ? ', undef, $id
right ? But {} is shorter :)
So my
TP> Using bind variables is always preferable, for example because if $id
TP> contains something other than you think it does,
TP> it could change the SQL statement itself, with all kinds of possibly
TP> bad results.
hm, I know what I'm doing here - I have 2 databases (one in mysql,
other in mssql), and ID is always (!) number - it is unique
identifier, user have no possiblity to change id. Of course, I know,
why it is better variables - for security reasons.
TP> This will happen if $id is undefined.
TP> Perl warns about this, and the SQL becomes invalid:
>> select ID from pic where id = -- and nothing more
TP> With bind variables, this will not make Perl warnings or SQL errors,
TP> but will just return "not exist".
TP> You should check why this subroutine gets an undefined $id (probably an
TP> error in the calling code) and what to do in this case.
yes, but this is that interesting thing. I always call it with some
ID, id is always defined. When I ran script with variables, (same
ids) it worked, when I put $id inside statement it failed (with same
ids)
again thanks for nice reply! After some changes, my subroutine is:
sub image_exist {
my ($count) = $mydbh->selectrow_array (' select count(*) from pic
where id = ? ', {}, $_[0]);
return $count;
}
--
...m8s, cu l8r, Brano.
[You don't need to be a cannibal to be fed up with Bill Clinton.]
